Key Actions #
Roughly in order of priority.
-
Always protect your devices with a alphanumeric passcode (PIN) or biometric authentication...
Passcode is better; the courts have ruled that biometrics (face recognition or fingerprints) are not protected by the fourth amendment. I suggest a PIN for your phone and then fingerprint for apps inside if your phone allows it.
You may feel you are not likely to have the police trying to get access to your phone, and you're probably right, but law enforcement has gotten pretty grabby with copying the contents of cell phones, often without warrant, and they routinely misuse public databases.
-
Deny apps permissions...
On your phone and other computers, set apps permissions to allow use of Location, Contacts, Microphone, Camera "off" or "only when using the app" or "ask every time".
Turn off access to the Microphone, Camera, Location, Contacts, etc to all apps that do not need it (why does a little cell phone card game need access to your microphone??). If you don't do this, then any app that has ever been allowed access can turn on and use the mic and camera at any time without you knowing, track all your movements, and copy and upload all your Contact info, etc at any time with no notice or further permission from you.
Be wary of the apps you download and install. Over 12,000 apps in the Apple App Store and Google Play store were recently found to be secretly tracking users' location, selling the information to various aggregators, and using it to push ads. (The article says over 2000 but there are over 12,000 listed on the spreadsheet). Remember that these are just the ones that were caught. Be careful what you install, deny all the permissions that are not needed for the app to work, delete apps that aren't used regularly.
- Install Firefox browser with the uBlock Origin extension.
-
Install an authenticator app...
You need it for your 2FA. (Use 2FA everywhere you can! It could save your ass.) Good ones include 2FAS and Aegis (also available on F-Droid; may be Android only) but any of them is better than none. Note that the FBI now recommends 2FA for your email account(s), especially and specifically GMail, due to a surge in account takeovers. -
Turn off the Radios...
Turn off Bluetooth, GPS/Location, and Wi-Fi whenever you are not actually using them on your phone and on your computers. They are used by thieves to track you and to select targets, they are used by stores to track your shopping and every move you make in the store, they are used by surveillance companies like Meta (Facebook), Google, Amazon, WalMart, etc) to track you and gather enormous amounts of information about you. This information can be used or re-sold in a variety of ways, very few of which have any benefit to you at all. -
Install Signal (or Telegram or Briar) for private messaging...
Signal is also available on both the Google Play store and F-Droid. It also includes encrypted voice and video calls and group messaging of up to 1000 people.
Molly is Signal-compatible messenger (it's a fork of the Signal code) that is somewhat more private. It's on F-Droid, not sure about Play store but I would guess not.
Don't use SMS/MMS ("txt messaging"), they were never intended to be private or secure. The newer RCS standard for messages is more secure than the older SMS/MMS protocols. Messaging is switching to using RCS for better security and it does seem to be an improvement, but is not in a class with Signal, Telegram, or Briar.
I have never used Telegram but it is supposedly very secure. Security analysts note that it has encryption algorithms written WITHOUT using industry best practices. This does not mean it is insecure. It does mean that it is very difficult to tell whether it is secure or not.
Briar is another one I haven't used (I would suggest the F-Droid version over the Play Store but it does require more work). It is a secure messaging/calling system that remains usable without cell towers or wi-fi; phones can link directly by their bluetooth or wi-fi radios and form a mesh network, sort of like the way truckers in the halcyon days of the 1970's, would use CB radios to pass messages beyond the actual reach of their radios, passing the message from truck to truck, except Briar is automatic.
I personally would not use WhatsApp due to Meta's unsavory history. I would not use Telegram due to poor development practices (ignoring industry standard practices).
-
Consider installing Jitsi Meet instead of Zoom or Teams...
Much more private and is free. Note: Signal also has video calls and voice calls. Jitsi is available on both the Playstore and F-Droid and there is a version for laptops/desktops also.Jitsi has a web version, too, that you access through your browser. The advantage of the web version of Jitsi is that you can use it with people who do not know how or do not want to install an app. This is unlike Signal and similar apps that do require an account and an app to be installed. Jitsi is fast, free, and can be used by anyone with a browser.
-
Delete any apps you are not using regularly...
Every app is a potential attack surface, if you aren't using it regularly, you probably don't need it, if you find you do need it occasionally, re-install it, use it, then uninstall it. -
Prefer web pages over apps...
If an app on your phone has a web page, harden your browser and use the web page instead of the app. Phone apps are horrible for your security and privacy no matter what they promise, as noted above under "Deny Apps Permissions". -
Install NewPipe to watch Youtube videos...
Newpipe is a great player that blocks ads and trackers and also has less insane recommendations. Available on both the Google Play store and F-Droid. Google hates it, however, so not sure how reliably available it will be. -
Install VLC for videos and music...
This is, hands down, the best media player available for general use. Plays downloaded movies and music files. Has lots of features, free, doesn't track or show ads. Private, open source, not prone to trackers, very high quality. Available on both the Playstore and F-Droid. There are also Windows and Linux versions and there is a "portable" version for Windows. -
Consider installing the F-Droid app...
F-Droid is an alternate app store that is similar to Google's Playstore but without the tracking. It focuses on FOSS (Free Open Source Software). These are generally smaller, fast, and vastly more private than those in the Playstore. Slightly more techie and not a panacea, but can be beneficial.
Note that FOSS has the same risk of malware as commercial software (but I believe not a higher risk, despite what the commercial companies will try to tell you). You should always do a search on any software you are thinking about installing on your computer or phone to see if there are any red flags.
Important Reminders #
-
REMEMBER: You cannot ever be sure who is texting or calling...EVER!
Remember: You can never, ever be completely sure who sent a text message or an email, nor can you ever be sure who is calling you. Caller ID, email return addresses, even the voices of loved ones you know intimately, can be easily faked today.
If any message asks you to click on something, anything, it is spam (or worse). If it suggests urgency it is definitely a scam. If it is at all threatening it is a crime. Report it to the FBI. They won't do anything about it, but it makes them feel appreciated.
Some experts suggest establishing a "secret word" or phrase known only to you and loved ones that will let you confirm that the person you are talking to is really who they say. So, for example, someone calls claiming to be your daughter, it sounds like her, she says she has been kidnapped and you have to send $1000 to the kidnappers so they will release her; is it her or a voice fake? (Some parents have already been fooled with this, it is not a hypothetical).
If you have a code word, they might say "The word is 'dynamo'." (Weird but so what) and you will know it is really her. A scammer will not be likely to say the code word and you know it is a fake. Another scam involves "kids" calling relatives claiming they have been arrested and need bail money, "Please don't tell mom & dad, they would be so mad!" Having a code word or phrase is not a bad idea.
-
Never open email or text message attachments you weren't expecting...
Attachments can insert malware even if all you do is open them and look at them. If you absolutely have to, First: Ask yourself whether you really have to, and if you still think so, then go to Virus Total and upload it there first. Be aware that a vulnerability was just patched in Microsoft Outlook that would allow someone to take total control of your computer if you just previewed an attachment, you don't even have to open it. There will always be more vulnerabilities in very complex programs. Never call telephone numbers in emails or texts...
Remember, you cannot ever be sure who sent an email or text, which means that you can't be sure any email addresses, phone numbers, or addresses are real. Look up the person/company another way or use the number from a source you can verify.- Never click on links in email or texts in general and never from senders you weren't expecting. Same reason as telephone numbers above.
-
Don't send money online to anyone who requests it from you online...
Not even if you think you know who it is and especially if they request gift cards, no matter how convincing they are. Not the IRS, police departments, nor anyone else is ever going to ask you to do this. It's a scam. The FBI warns about voice fakes. You will not be able to tell.
Some folks recommend that you establish "code words" with your family that you can use to confirm who you are really talking to. For example, something a bit subtle so if someone overhears you it isn't as obvious that you are using a code. "Mom, things aren't copacetic right now." But you could just as easily use "May I mambo dogface on the banana patch?" This way, if you need to call home for some bail money or whatever, you can assure your mom that it's really you and not a scammer using one the cool new AI voice fakers.
-
Don't share news about your family, job, vacation, or other personal life events on public social media sites...
It's bad enough on private pages but to put it on a site available to everyone in the world is insane. Thieves and scammers use these sources to learn about you and your family, what you have, when you are home or not, or how to make a scam sound more convincing by using details in their "conversations" with you. (See "You cannot ever be sure who is texting or calling" up above.) No reason to make it easier for them.